[1608] in bugtraq
Re: nfs_mount in AIX
daemon@ATHENA.MIT.EDU (Tom Fitzgerald)
Tue Apr 25 22:47:39 1995
From: Tom Fitzgerald <fitz@wang.com>
To: rick@msc.cornell.edu
Date: Tue, 25 Apr 95 21:15:58 EDT
Cc: bugtraq@fc.net
In-Reply-To: <199504252105.AA44323@hannah.msc.cornell.edu>; from "rick@msc.cornell.edu" at Apr 25, 95 5:05 pm
> It appears that the completely undocumented routine 'nfs_mount' can be
> used by a non-root user to mount a daemon on a directory ala NFS. It
> seems to me that this is a very nasty security hole.
>
> I can't offer more details since, as I said, the routine is completely
> undocumented, and the only working example I have is in a piece of
> third-party software to which I do not have source.
>
> I would appreciate it if someone could shed some light on this.
Here's a little additional information..... the nfs_mount routine does its
work through the vmount() system call, which is documented. If this is a
security hole at all, then it's because it would let an attacker mount a
remote filesystem under his control onto a world-readable directory like
/tmp or /var/preserve, and thereby grab a copy of everything that was
written to that directory. Anybody want to write a test program?
nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
(since it's just a subroutine anyway) aside from a simpler interface.
--
Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz@wang.com
